Connect
The modern enterprise is no longer defined solely by its human workforce. We have entered the era of a new identity class: AI agents. These autonomous identities act, access, and execute at machine speed, often operating far outside the reach of traditional security perimeters.
As organizations shift from experimental pilots around AI agents to production-grade deployments, the security challenge has moved from “if” we deploy to how we secure them at runtime—the precise moment an agent decides to act, calls a tool, and touches enterprise data.
To bridge this gap, CISOs must look beyond legacy tools to resolve an architectural mismatch. Addressing the following four fundamental questions allows security leaders to turn AI complexity into a secure advantage:
- Where are my AI agents?
- Who is accountable for what they do?
- What can they connect to?
- Are we enforcing guardrails in real time?
The Scaling Identity Crisis
Recent research from Software Analyst Cyber Research (SACR) and the Stanford Graduate School of Business makes the stakes clear: AI agent adoption has drastically outpaced the security architectures designed to contain it. The scale of this shift makes manual oversight an impossibility.
Consider the numbers:
- There are over 3 million agents currently operating globally.
- Enterprises are spinning up thousands of new agents every week.
- Modern organizations now run roughly 144 non-human identities (NHIs) for every single human user.
When shadow agents and temporary, short-lived agents—which are created for a single task and vanish immediately after execution—are factored in, active identities can reach the thousands per team.
Yet, legacy Identity and Access Management (IAM) systems were built for two primary actors: humans and deterministic machine identities. AI agents fit neither model. They are high-velocity, context-dependent, and capable of acting without human initiation.
1. Where Are My AI Agents?
Lifecycle Stage: Discover
You can’t govern what you can’t see. In the agentic era, most organizations are operating in a profound visibility vacuum known as Shadow AI. Research indicates that organizations often discover thousands of previously unknown agents in initial scans. These agents aren’t deployed like traditional software; they are created everywhere, by anyone, at any time.
The Architectural Challenge:
The fastest-growing category of agents—browser-based and local developer tools like Claude Code, Cursor, or Windsurf—is the least visible in enterprise AI workflows. Traditional visibility is fragmented across SaaS platforms and network gateways.
The Endpoint Reality:
Many modern agents execute locally on the fleet. A discovery layer that only monitors cloud login events or SaaS-based OAuth grants will miss the silent agentic workforce. If an agent is running on a developer’s laptop to refactor code or summarize internal documents, it may never trigger a traditional network alert. This makes the endpoint the most critical, yet often most ignored, source of truth.
The Strategic Approach: To close the visibility gap, leading teams are moving away from one-time inventories toward continuous discovery. This requires a unified system that can:
- Aggregate signals across browser extensions, local endpoints, and network gateways.
- Identify locally running resources, such as Model Context Protocol (MCP) servers, which act as hidden execution layers.
- Reveal ephemeral instances that spin up and down in minutes, escaping traditional periodic scans.
- Assess posture, not just existence: Knowing an agent exists is the baseline; understanding its security posture at the moment of execution is the goal.
2. Who Is Accountable for What They Do?
Lifecycle Stage: Register
Once an agent is discovered, it must be naturalized. The primary danger of the agentic era is the accountability vacuum. When an autonomous agent takes an action, such as querying a sensitive database or modifying a security policy, the chain of responsibility breaks unless it is deliberately engineered.
In many legacy environments, these agents mask their actions under shared service accounts or, worse, the stolen or borrowed credentials of their creators. This creates a maker identity problem where the agent inherits the broad, standing access of a human without the same behavioral constraints.
The Strategic Approach:
CISOs must demand a unified control plane that binds an agent’s purpose to a verified human owner and a trusted device. We refer to this as the chain of intent. By registering agents as first-class corporate identities at the moment of creation—not after the fact—you ensure that every interaction is authenticated, auditable, and tied back to a responsible party.
A formal registration process should capture:
- Purpose: What is this agent designed to do? (e.g., “Analyze customer churn data”).
- Scope: Which specific data sets and applications does it need to touch?
- Attribution: Which human user is ultimately accountable for the agent’s outcomes?
- Device Context: Is this agent running on a managed, healthy device or a rogue, unmanaged container? This is where identity meets device trust.
3. What Can They Connect To?
Lifecycle Stage: Manage
An agent’s risk isn’t determined by what it is; it’s determined by what it can reach. Agents connect to APIs, databases, SaaS applications, and other agents, often simultaneously and at machine speed.
The Model Context Protocol (MCP) is rapidly becoming the primary execution layer for these agents. However, research from SACR reveals that this ecosystem is currently immature: plaintext credentials are common, OAuth adoption remains limited, and “tool poisoning” attacks are highly effective. Most organizations lack even a basic inventory of which MCP servers are running or what they’re connected to.
The Strategic Approach: Most organizations manage only access. Leading teams control connection paths.
- Enforce Least-Privilege: Apply granular controls across every connection path (MCP, APIs, SaaS). An agent authorized to read data shouldn’t be able to aggregate and exfiltrate it without a specific policy.
- Eliminate Static Credentials: Replace permanent zombie credentials with time-limited, scoped tokens. Static credentials are the primary fuel for lateral movement in a compromised environment.
- Automate Offboarding: This is the most common failure point. When an agent’s owner leaves the organization, the platform must automatically revoke every identity, token, and connection path tied to that individual.
- Secure Agent-to-Agent Interactions: Verify the identity of the calling agent as rigorously as you would a human user.
Suggested reading: Why You Should Govern AI Agents Like Your Employees
4. Are We Enforcing Guardrails in Real Time?
Lifecycle Stage: Govern
This is where the model breaks for most organizations. Knowing where agents are and what they can connect to is not enough, because agents don’t behave like traditional, deterministic systems.
An agent can stay within its permitted access boundaries while still doing something unexpected, harmful, or misaligned with its original intent, such as inadvertently leaking proprietary code into a public model.
The Shift to Agentic Security: Traditional security asks: “Is this identity authorized to access this resource?” Agentic security asks: “Should this action be allowed, given the current context and behavior?” The shift from simple access control to intent evaluation is what makes deterministic (static) governance alone insufficient for the AI era.
The Strategic Approach: To close the accountability gap, CISOs must implement Human-in-the-Loop (HITL) Governance. This does not mean manually approving every action—which would destroy the ROI of AI—but rather enforcing risk-based guardrails:
- Real-time Authorization: Enforce context-aware policies at the moment of execution. If an agent attempts to call an MCP server from an unmanaged device, the action is blocked instantly.
- Evaluate Intent and Sequence: Monitor for behavioral drift. If a data-summary agent suddenly begins a large-scale export, the “kill switch” should trigger automatically.
- Continuous Audit Trails: Provide centralized logging of AI activity correlated to user identity and device context. This is no longer optional; for many, it is a legal mandate under regulations like the EU AI Act.
What CISOs Should Do Now: Building the Foundation
The decision to secure the agentic environment today is a strategic investment in the organization’s future resilience. Fragmented tools lead to governance silos, managing humans in one IAM system and agents in another creates dark corners where threats thrive.
- Invest in Observability Before Governance: You cannot make intelligent authorization decisions without quality data. Start by closing the visibility gap across your endpoints and browsers to understand what agents are actually doing.
- Standardize on a Unified Identity Platform: Avoid tool sprawl. Choose a system that manages the full lifecycle of every identity from human, and machine to AI agent, in one place.
- Anchor Agents to Trusted Devices: Identity alone is a weak perimeter. If an agent is authorized but running on a compromised, unmanaged laptop, your data is at risk. Linking agentic identity directly to Device Trust ensures the execution environment is secure.
- Treat MCP Security as a Distinct Requirement: If your security strategy doesn’t have a plan for securing MCP traffic and servers, you have a critical gap in your control surface.
Intelligence Requires Identity
The agentic era doesn’t have to be a source of fear. For the organizations that get it right, AI can be the greatest productivity accelerator of the decade. But that acceleration is only possible when it is built on a foundation of visibility, control, and accountability.
JumpCloud is the unified control plane that makes Intelligent, Secure IT possible. By unifying the AI agent lifecycle stages (discover, register, manage, and govern) and anchoring them to industry-leading Device Trust, we help CISOs turn the complexity of AI into a safe, optimized advantage.
Learn more about JumpCloud’s Agentic Identity Access Management.
